Stanford University and Coverity are counting defects perl kilo line of code (Defects/KLOC) in popular OSS. I don’t know the criterias. Therefore the absolute values are not very interresting. Beside that it’s a good source to compare the listed programs and get an idea of the security.